Sensitive Information in Financial Services

November 14th, 2003 CS 457a G. Fuldner

Why is Sensitive Information Important in Financial Services?

• It is an information-based industry • Almost all information generated in financial services is potentially sensitive/private • There is often potential for significant monetary loss due to lack of privacy

Outline

• Regulations • Current Problems • Possible Solutions

Regulations

Graham Leach Bliley

• Official Title: The Financial Modernization Act of 1999 • Ends depression-era separation of investment and commercial banking • Establishes financial privacy rules and safeguards that must be followed to protect financial data

Definition: Nonpublic Personal Information

• “Nonpublic personal information” is personally identifiable financial information: – Provided by a consumer to a financial institution – Resulting from any transaction with the consumer or any service performed for the consumer; or – Otherwise obtained by the financial institution – Publicly available information is not included • Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is

derived

nonpublic personal information.

using any nonpublic personal information is also defined as

GLB: Privacy Rule

• • A financial institution may not disclose nonpublic personal information to a nonaffiliated third party unless 1. The institution has disclosed to the consumer in writing or electronic form that the information may be disclosed to a third party.

2. The consumer has been given the opportunity to opt out.

Financial institutions are furthermore required to provide customers with annual notices of privacy policies including a listing of the types of nonpublic personal information that it gathers.

GLB: Privacy Rule II

• A financial institution is free to disclose nonpublic personal information to nonaffiliated third parties under many exceptions – “To effect, administer, or enforce a transaction requested or authorized by the consumer” – To service or maintain a consumer’s account – In connection with a securitization or sale of a consumer’s account – At the direction of the consumer – To prevent fraud or unauthorized transactions – For credit reporting purposes – In connection with the sale of the the institution or a business unit – At the request of law enforcement

GLB: Who must comply?

• Businesses that are “significantly engaged” in providing financial products or services to consumers • For Example – Banks/Credit Unions – Mortgage or Credit Card Lenders – Securities Brokers – Investment Advisors – Insurers – Check-Cashers – Credit Reporting Agencies – ATM Operators

GLB: Safeguards

• Financial regulators define standards for the financial institution relating to administrative, technical, and physical safeguards – (1) to insure the security and confidentiality of customer records and information; – (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and – (3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

GLB: Safeguards II

• Data Safeguard Standards (FTC Example) – Designate an information security coordinator – Identify reasonably foreseeable internal and external risks to unauthorized disclosure of nonpublic information.

– Employee training – Information systems design risk assessment – Intrusion detection and system monitoring – Appropriate vendor and service provider oversight

Effects of GLB

• Lots of small type privacy disclosure forms • Financial institutions must think about privacy as a part of their broader regulatory compliance process • Actual IT process impact is limited to the margins. • Common compliance efforts include – Firewalls – Network penetration testing / Security audits – SSL in website communications – VPNs for internal corporate communication

Other Relevant Legislation

• USA Patriot Act – Requires banks to positively identify new customers and check names against lists of known terrorists.

– NOTE: the identification requirement makes anonymity-based customer privacy schemes impossible • Bank Secrecy Act – Gives law enforcement broad powers to access nonpublic financial information – Requires banks to report suspicious activity

Current Problems

Information Risk Factors

• High dependence on information transfer between economic agents to conduct financial transaction • Industry consolidation has created large conglomerates (ex. Citigroup, BofA) with large distributed IT infrastructures • Large numbers of customer service and back office workers (ex. Tellers, Call Center Reps) have broad access to sensitive customer data.

• Increased use of outsourcing distributes sensitive customer data to third-parties who have lower incentives to preserve customer privacy.

Some Recent Failures

• May 2002: A teller at a Bank One sells lists of customer information to an identity theft ring. • February 2003: 8 Million credit card numbers stolen by hackers from the computer system of a Nebraska transaction processor.

• Phishing - An emerging spam problem where users get a malicious e-mail that looks like a financial institution website (ex. Paypal.com) and requests users to enter passwords or other account information.

Sources: SmartMoney, CNN

Basic Problems Still Exist

• 66% of large financial institutions studied by IBM and Watchfire had one or more Web forms that collected personally identifiable information but did not use SSL encryption. • 91% of the companies supported allowed weak forms of SSL (ex. 40-bit RSA) in their websites while 128-bit is recommended by Federal bank regulators.

Possible Solutions

Industry Needs

• Secure methods for institutions to identify customers (ex. a replacement for SS# and mother’s maiden name). • Secure methods for customers to identify institutions electronically (ex. a means of verifying the authenticity of a bank website) • Data access control systems that restrict access to nonpublic personal information to those that need to know and provide an audit trail of access policy exceptions • Standard methods of enforcing data-use policies with third-party service providers.

Resources

• Watchfire ( www.watchfire.com

) - a suite of IT infrastructure privacy monitoring software tools and consulting services.